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Abstract 

We show that time complexity analysis of higher-order functional programs can be effectively reduced 
to an arguably simpler (although computationally equivalent) verification problem, namely checking first- 
order inequalities for validity. This is done by giving an efficient inference algorithm for linear dependent 
types which, given a PCF term, produces in output both a linear dependent type and a cost expression 
for the term, together with a set of proof obligations. Actually, the output type judgement is derivable 
iff all proof obligations are valid. This, coupled with the already known relative completeness of linear 
dependent types, ensures that no information is lost, i.e., that there are no false positives or negatives. 
Moreover, the procedure reflects the difficulty of the original problem: simple PCF terms give rise to 
sets of proof obligations which are easy to solve. The latter can then be put in a format suitable 
for automatic or semi-automatic verification by external solvers. Ongoing experimental evaluation has 
produced encouraging results, which are briefly presented in the paper. 

1 Introduction 

One of the most crucial non-functional properties of programs is the amount of resources (like time, memory 
and power) they need when executed. Deriving upper bounds on the resource consumption of programs is 
crucial in many cases, but is in fact an undccidablc problem as soon as the underlying programming language 
is non-trivial. If the units of measurement in which resources are measured become concrete and close to the 
physical ones, the problem becomes even more complicated, given the many transformation and optimisation 
layers programs are applied to before being executed. A typical example is the one of WCET techniques 
adopted in real-time systems [30] . which do not only need to deal with how many machine instructions a 
program corresponds to, but also with how much time each instruction costs when executed by possibly 
complex architectures (including caches, pipelining, etc.), a task which is becoming even harder with the 
current trend towards multicores architectures. 

A different approach consists in analysing the abstract complexity of programs. As an example, one 
can take the number of instructions executed by the program as a measure of its execution time. This is 
of course a less informative metric, which however becomes more accurate if the actual time complexity of 
each instruction is kept low. One advantage of this analysis is the independence from the specific hardware 
platform executing the program at hand: the latter only needs to be analysed once. A variety of verification 
techniques have been employed in this context, from abstract interpretation [TU] to type systems [53] to 
program logics [22] to interactive theorem proving] 

Among the many type-based techniques for complexity analysis, a recent proposal consists in going 
towards systems of linear dependent types, as suggested by Marco Gaboardi and the first author |12j . In 
linear dependent type theories, a judgement has the form hi t : a, where a is the type of t and I is its cost, 
an estimation of its time complexity. In this paper, we show that the problem of checking, given a PCF 
term t and I, whether h i t : a holds can be efficiently reduced to the one of checking the truth of a set of 
proof obligations, themselves formulated in the language of a first-order equational program. Interestingly, 
simple A-terms give rise to simple equational programs. In other words, linear dependent types are not only 
a sound and relatively complete methodology for inferring time bounds of programs \12\ 113] : they also allow 
to reduce complexity analysis to an arguably simpler (although computationally equivalent) problem which 

1 A detailed discussion with related work is in Section lol 
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Figure 1: General scheme of the type inference algorithm. 

is much better studied and for which a variety of techniques and concrete tools exist [§]■ Noticeably, the 
bounds one obtains this way translate to bounds on the number of steps performed by evaluation machines 
for the A-calculus, which means that the induced metrics are not too abstract after all. The type inference 
algorithm is described in Section |4j 

The scenario, then, becomes similar to the one in Floyd-Hoare program logics for imperative programs, 
where completeness holds [5j (at least for the simplest idioms [7i ) and weakest preconditions can be generated 
automatically (see, e.g., |22j). A benefit of working with functional programs is that type inference — the 
analogue of generating WPs — can be done compositionally without the need of guessing invariants. 

Linear dependent types are simple types annotated with some index terms, i.e. first-order terms reflecting 
the value of data flowing inside the program. Type inference produces in output a type derivation, a set of 
inequalities (which should be thought of as proof obligations) and an equational program £ giving meaning 
to function symbols appearing in index terms (see Figure [IJ . A natural thing to do once E and the various 
proof obligations are available is to try to solve them automatically, as an example through SMT solvers. If 
automatically checking the inequalities for truth does not succeed (which must happen, in some cases), one 
can anyway find useful information in the type derivation, as it tells you precisely which data every symbol 
corresponds to. We elaborate on this issue in Section [5j 

But where does linear dependency come from? Linear dependent types can be seen as a way to turn 
Girard's geometry of interaction [17] (or, equivalently, AJM games PQ) into a type system for the A-calculus: 
the equational program one obtains as a result of type inference of a term t is nothing but as a description 
of a token machine for t. In presence of linear dependency, any term which can possibly be duplicated, 
can receive different, although uniform, types, similarly to what happens in BLL [18] . As such, this form of 
dependency is significantly simpler than the one of, e.g., the calculus of inductive constructions. 

2 Linear Dependency at a Glance 

Traditionally, type systems carry very little information about the value of data manipulated by programs, 
instead focusing on their nature. As an example, all (partial recursive) functions from natural numbers 
to natural numbers can be typed as Nat => Nat in the A-calculus with natural numbers and higher-order 
recursion, also known as PCF [27j . This is not an intrinsic limit of the type-based analysis of programs, 
however: much richer type disciplines have flourished in the last twenty years [211 1141 1101 [3]. All of them 
guarantee stronger properties for typable programs, the price being a more complicated type language and 
computationally more difficult type inference and checking problems. As an example, sized types |21j are a 
way to ensure termination of functional programs based on size information. In systems of sized types, a 
program like 

t = Ax. Ay. add (add x y) (succ y) 



2 



can be typed as Nat a => Nat;, => Nat +26+i, and in general as Nat Q => Natf, => Nati, where I 3= a + 26 + 1. In 
other words, the PCF type Nat is refined into Nati (where I is an arithmetical expression) whose semantics 
is the set of all natural numbers smaller or equal to I, i.e. the interval [0, 1] c N. The role of size information 
is to ensure that all functions terminate, and this is done by restricting the kind of functions of which one 
is allowed to form fixpoints. Sized types are nonlinear: arguments to functions can be freely duplicated. 
Moreover, the size information is only approximate, since the expression labelling base types is only an upper 
bound on the size of typable values. 

Linear dependent types can be seen as a way to inject precision and linearity into sized types. Indeed, t 
receives the following type in d-^PCFv [13] : 

c<I d<J 

Nat[0, a] -o Nat[0, 6] -o Nat[0, a + 26 + 1]. (1) 

As one can easily realise, Nat[K, H] is the type of all natural numbers in the interval [K, H] c N. Moreover, 
fc<j 

a ^> r is the type of linear functions from er to r which can be copied by the environment J times. The J 
copies of the function have types obtained by substituting 0, . . . , J — 1 for b in a and r. This is the key idea 
behind linear dependency. The type ([!]) is imprecise, but can be easily turned into 

i c<I _ , d<J 

Nat [a, a] -o Nat [6, b] -o Nat [a + 26 + 1, a + 2b + 1], (2) 

itself a type of t. In the following, the singleton interval type Nat[K,K] is denoted simply as Nat[K]. 

Notice that linear dependency is not exploited in ([2]), e.g., d does not appear free in Nat [6] nor in 
Nat [a + 26+1]. Yet, ([2| precisely captures the functional behaviour of t. If d does not appear free in a nor 

d<i i 
in t, then o — o r can be abbreviated as a — o r. Linear dependency becomes necessary in presence of higher 

order functions. Consider, as another example, the term 

U = Xx.Xy. if z y then else xy 

u has simple type (Nat => Nat) => Nat => Nat. One way to turn it into a linear dependent type is the 
following 

H K L 

(Nat [a] -o Nat [I]) -o Nat [a] -o Nat [J], (3) 

where J equals when a = and J equals I otherwise. Actually, u has type Q for every I and J, provided 
the two expressions are in the appropriate relation. Now, consider the term 

v = (Xx.Xy. (x pred (x id y))) u. 

The same variable x is applied to the identity id and to the predecessor pred. Which type should we give to 
the variable x and to u, then? If we want to preserve precision, the type should reflect both uses of x. The 
right type for u is actually the following: 

1 c<2 1 

(Nat [a] -o Nat [I]) ^> Nat [a] -o Nat [J] (4) 

where both I and J evaluate to a if c = and to a — 1 otherwise. If id is replaced by succ in the definition 
of v, then Q becomes even more complicated: the first "copy" of J is fed not with a but with either or 
a + 1. 

Linear dependency precisely consists in allowing different copies of a term to receive types which are 
indexed differently (although having the same "functional skeleton") and to represent all of them in compact 
form. This is in contrast to, e.g., intersection types, where the many different ways a function uses its 
argument could even be structurally different. This, as we will see in Section [3j has important consequences 
on the kind of completeness results one can hope for: if the language in which index terms are written is 
sufficiently rich, then the obtained system is complete in an intensional sense: a precise type can be given 
to every terminating t having type Nat => Nat. 
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Figure 2: Evaluation of a term in the CEKpcf abstract machine. 



Noticeably, linear dependency allows to get precise information about the functional behaviour of pro- 
grams without making the language of types too different from the one of simple types (e.g., one does not 
need to quantify over index variables, as in sized types). The price to pay, however, is that types, and 
especially higher-order types, need to be context aware: when you type u as a subterm of v (see above) you 
need to know which arguments u will be applied to. Despite this, a genuinely compositional type inference 
procedure can actually be designed and is the main technical contribution of this paper. 

2.1 Linearity, Abstract Machines and the Complexity of Evaluation 

Why dependency, but specially linearity, are so useful for complexity analysis? Actually, typing a term 
using linear dependent types requires finding an upper bound to the number of times each value is copied 
by its environment, called its potential. In the term v from the example above, the variable x is used twice, 
and accordingly one finds c < 2 in Q. Potentials of higher-order values occurring in a term are crucial 
parameters for the complexity of evaluating the term by abstract mechanisms The following is an 

hopefully convincing (but necessarily informal) discussion about why this is the case. 

Configurations of abstract machines for the A-calculus (like Friedman and Felleisen's CEK and Krivine's 
KAM) can be thought of as being decomposable into two distinct parts: 

• First of all, there are duplicable entities which are either copied entirely or turned into non-duplicable 
entities. This includes, in particular, terms in so-called environments. Each (higher-order) duplicable 
entity is a subterm of the term the computation started from. 

• There are non-duplicable entities that the machine uses to look for the next redex to be fired. Typically, 
these entities are the current term and (possibly) the stack. The essential feature of non-duplicable 
entities is the fact that they are progressively "consumed" by the machine during evaluation: the search 
for the next redex somehow consists in traversing the non-duplicable entities until a redex is found or a 
duplicable entity needs to be turned into a non-duplicable one. 

As an example, consider the process of evaluating the PCF term 

(A/, ifz (/0) then else /(/0))((Ax.Ay.addxy) 3) 
by an appropriate generalisation of the CEK machine, see Figure[2j Initially, the whole term is non-duplicable. 
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By travelling into it, the machine finds a first redex u; at that point, 3 becomes duplicable. The obtained 
closure itself becomes part of the environment £, and the machine looks into the body of t, ending up 
in an occurrence of /, which needs to be replaced by a copy of £(/). After an instantiation step, a new 
non-duplicable entity £(/) indeed appears. Note that, by an easy combinatorial argument, the number of 
machine steps necessary to reach / is at most (proportional to) the size of the starting term tu, since reaching 
/ requires consuming non-duplicable entities which can only be created through instantiations. After a copy 
of £(/) becomes non-duplicable, some additional "nonduplicable fuel" becomes available, but not too much: 
Xy.&ddxy is after all a subterm of the initial term. 

The careful reader should already have guessed the moral of this story: when analysing the time complex- 
ity of evaluation, we could limit ourselves to counting how many instantiation steps the machine performs 
(as opposed to counting all machine steps). We claim, on the other hand, that the number of instantiation 
steps equals the sum of potentials of all values appearing in the initial term, something that can be easily 
inferred from the kind of precise linear typing we were talking about at the beginning of this section. 

Summing up, once a dependently linear type has been attributed to a term t, the time complexity of 
evaluating t can be derived somehow for free: not only an expression bounding the number of instantiation 
steps performed by an abstract machine evaluating t can be derived, but it is part of the underlying type 
derivation, essentially. As a consequence, reasoning (automatically or not) about it can be done following 
the structure of the program. 

3 Programs and Types, Formally 

In this section, we present the formalism of d£PCF, a linear dependent type system for PCF |27) . Two 
versions exist: d^PCF^ and d^PCFv, corresponding to call-by-name and call-by-value evaluation of terms, 
respectively. The two type systems are diffcrcrcnt, but the underlying idea is basically the same. We give 
here the details of the CBV version [T3] , which better corresponds to widespread intuitions about evaluation, 
but also provide some indications about the CBN setting [T2] , 

3.1 Terms and Indexes 

Terms are given by the usual PCF grammar: 

s,t,u := x | n | tu | Xx.t | p(<) | s(t) 
fix x.t | ifz t then u else s. 

A value (denoted by v,w etc. ) is either a primitive integer n, or an abstraction Xx.t, or a fixpoint fix x.t. 
In addition to the usual terms of the A-calculus, there are a fixpoint construction, primitive natural numbers 
with predecessor and successor, and conditional branching with a test for zero. For instance, a simple 
program computing addition is the following: 

add = fix x. Xy.Xz. ifz y then z else s(x (p(?/)) z) . 
3.1.1 Language of Indexes 

As explained informally in Section [2j a type in d^PCF consists in an annotation of a PCF type, where the 
annotation consists in some indexes. The latter are parametrised by a set of index variables V = {a, b, c, . . . } 
and an untyped signature of function symbols, denoted with f , g, h, etc. We assume contains at least 
the arithmetic symbols +, — , and 1, and we write n for 1 + • • • + 1 (n times). Indexes arc then constructed 
by the following grammar: 

i,j 

I,J,K ::= a | f(Ii, - - . , I„) | £j | @K , 
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where n is the arity of f in 0. Free and bound index variables are defined as usual, taking care that all 
occurrences of a in J are bound in both Xia<i J an< ^ @1' K J- The substitution of a variable a with J in I is 
written I{ J/a}. Given an equational program £ attributing a meaning in N n N to some symbols of arity n 
(see Section 5 «, and a valuation p mapping index variables to N, the semantics [1]^ of an index I is either a 
natural number or undefined. Let us describe how we interpret the last two constructions, namely bounded 
sums and forest cardinalities. 

Bounded sums have the usual meaning: Xm<i J i s simply the sum of all possible values of J with a taking 
the values from up to I, excluded. Describing the meaning of forest cardinalities, on the other hand, 
requires some effort. Informally, the index @^' J K counts the number of nodes in a forest composed of J 
trees described using K. Each node in the forest is (uniquely) identified by a natural number, starting form I 
and visiting the tree in pre-order. The index K has the role of describing the number of children of each 
forest node, e.g. the number of children of the node is K{0/a}. More formally, the meaning of a forest 
cardinality is defined by the following two equations: 

1,0 

@K 

a 

I.J + 1 

© K 

a 

The first equation says that a forest of trees contains no nodes. The second one tells us that a forest of 
J + 1 trees contains: 

• The nodes in the first J trees; 

• plus the nodes in the last tree, which are just one plus the nodes in the immediate subtrees of the root, 
considered themselves as a forest. 

Consider the following forest comprising two trees: 
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and consider an index K with a free index variable a such that K{l/a} = 3; K{n/a} = 2 for n e {2,8}; 
K{n/a} = 1 when n e {0,6,9,11}; and K{n/a} = when n e {3,4,7,10,12}. That is, K describes the 
number of children of each node. Then @^ 2 K = 13 since it takes into account the entire forest; 1 K = 8 
since it takes into account only the leftmost tree; @^ K = 5 since it takes into account only the second 
tree of the forest; finally, @„' 3 K = 6 since it takes into account only the three trees (as a forest) within the 
dashed rectangle. 

One may wonder what is the role of forest cardinalities in the type system. Actually, they play a crucial 
role in the treatment of recursion, where the unfolding of recursive calls produces a tree-like structure whose 
size is just the number of times the (recursively defined) function will be used globally. 

Notice that [1]^ is undefined whenever the equality between I and any natural number cannot be derived 
from the underlying equational program. In particular, a forest cardinality may be undefined even if all its 
subterms are defined: as an example I = 1 has no value, because the corresponding tree consists of 

an infinite descending chain and its cardinality is infinite. By the way I is the index term describing the 
structure of the recursive calls induced by the program fix x.t. 
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3.1.2 Semantic Judgements 



A constraint is an inequality on indexes. A constraint I < J is valid for p and £ when both [I]^ and p]p 
are defined, and \lf p < [J]£. As usual, we can derive a notion of equality and strict inequality from ^. A 
semantic judgement is of the form 

0; $ \= e I s? J , 

where $ is a set of constraints and <f> is the set of free index variables in <!>, I and J. These semantic 
judgements are used as axioms in the typing derivations of diPCF, and the set of constraints $, called the 
index context, contains mainly some indications of bounds for the free index variables (such as a < K) . Such 
a judgement is valid when, for every valuation p ; <j> — * N, if all constraints in $ are valid for £ and p then 
so is I ^ J. 



3.2 Types 

Remember that d£PCF is aimed at controlling the complexity of programs. The time complexity of the 
evaluation is thus analysed statically, while typing the term at hand. The grammar for types distinguishes 



the subclass of linear types, which correspond to non-duplicable terms (see Section 2.1 ), and the one of modal 
types, for duplicable terms. In d^PCFv, they are defined as follows: 

A, B ::= a — ° r; linear types 

a, t ::= [a < I] • A | Nat [I, J]. modal types 

Indeed, CBV evaluation only duplicates values. If such a value has an arrow type then it is a function 
(either an abstraction or a fixpoint) that can potentially increase the complexity of the whole program if we 
duplicate it. Hence we may need a bound on the number of times we instantiate it in order to control the 
complexity. This bound, call the potential of the value, is represented by I in the type [a < I] • (a — o r) 

(also written a — o r). As explained in Section [2J Nat [I, J] is the type of programs evaluating to a natural 
number in the closed interval [I, J]. The potential for natural numbers is not specified, as they can be freely 
duplicated along CBV evaluation. 



3.2.1 Summing types 

Intuitively, the modal type a = [a < I] • A is assigned to terms that can be copied I times, the k th copy 
being of type A{k — 1/a}. For those readers who are familiar with Linear Logic, a can be thought of as 
representing the type A{0/a} ® • • • (x) A{1 — 1/a}. 

In the typing rules we are going to define, modal types need to be manipulated in an algebraic way. For 
this reason, two operations on modal types are required. The first one is a binary operation ty on modal 
types. Suppose that a = [a < I] • A{a/c} and that r = [a < J] • A{1 + a/c}. In other words, a consists of 
the first I instances of A, i.e. A{0/c} <S) ■ ■ ■ <S> A{1 — 1/c] while r consists of the next J instances of A, i.e. 
A{1 + 0/c} (x) • • • (g) A{1 + J — 1/c}. Their sum a tb r is naturally defined as a modal type consisting of the 
first I + J instances of A, i.e. [c < I + J] • A. Furthermore, Nat [I, J] tb Nat [I, J] is just Nat [I, J]. A bounded 
sum operator on modal types can be defined by generalising the idea above: suppose that 

a=[b<J]-A\b+Yi J{d/a}/c 1 . 

t d<a J 

Then its bounded sum Xi <i a ^ s J us * [ c < S a <i ^1 ' ^- Finally, 2] a <i Nat [J, K] = Nat [J, K], provided a does 
not occur free in J nor in K. 



3.2.2 Subtyping 

Central to d^PCF is the notion of subtyping. An inequality relation != between (linear or modal) types can 
be defined using the formal system in Fig. [3] This relation corresponds to lifting index inequalities to the 
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Figure 3: Subtyping derivation rules of d£PCFy. 
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Figure 4: Typing rules of d^PCF v . 

type level. As defined here, c is a pre-order (i.e. a reflexive and transitive relation), which allows to cope 
with approximations in the typed analysis of programs. However, in the type inference algorithm we will 
present in next section only the symmetric closure = of E, called type equivalence will be used. This ensures 
that the type produced by the algorithm is precise. 

3.2.3 Typing 

A typing judgement is of the form 

T h| i : r, 

where K is the weight of t, that is (informally) the maximal number of substitutions involved in the CBV 
evaluation oft (including the potential substitutions by t itself in its evaluation context). The index context <!> 
is as in a semantic judgement (see Section 3.1. 2[ ), and T is a (term) context assigning a modal type to (at 



least) each free variable of t. Both sums and bounded sums are naturally extended from modal types to 
contexts (with, for instance, {x : cr; y : t} tb {x : g, z : ip} = {x : a w g; y : r; z : tp}). There might be free index 
variables in $, T, r and K, all of them from (ft. Typing judgements can be derived from the rules of Figure|4] 
Observe that, in the typing rule for the abstraction (— °), I represents the number of times the value Xx.t 
can be copied. Its weight (that is, the number of substitutions involving Xx.t or one of its subterms) is then I 
plus, for each of these copies, the weight of t. In the typing rule (App), on the other hand, t is used once 
as a function, without been copied. Its potential needs to be at least 1. The typing rule for the fixpoint is 
arguably the most complicated one. As a first approximation, assume that only one copy of fix x.t will 
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be used (that is, K = 1 a docs not occur free in B). To compute the weight of fix x.t, we need to know 
the number of times t will be copied during the evaluation, that is the number of nodes in the tree of its 



recursive calls. This tree is described by the index I (as explained in Section 3.1.1), since each occurrence 



of x in t stands for a recursive call. It has H = (S)^' 1 1 nodes. At each node b of this tree, there is a copy 
of t in which the a th occurrence of x will be replaced by the a th son of 6, i.e. by b + 1 + I. The types 

thus have to correspond, which is what the second premise of this rule prescribes. Now if fix x.t is in fact 
aimed at being copied K > times, then all the copies of t are represented in a forest of K trees described 
by I. 

For the sake of simplicity, we present here the type system with an explicit subsumption rule. The latter 
allows to relax any bound in the types (and the weight), thereby loosing some precision in the information 
provided by the typing judgement. However, we could alternatively replace this rule by relaxing the premises 
of all the other ones (which corresponds to the presentation of the type system given in [13) , or in [12] for 
d^PCFfj). Restricting subtyping to type equivalence amounts to considering types up to index equality in 
the type system of Figure [4] without the rule (Subs) — this is what we do in the type inference algorithm in 
Section |4j In this case we say that the typing judgements are precise: 

Definition 3.1 A derivable judgement <fi;&;T\- f t : a is precise if 

f 0;$ h £ Acr 

4>; $; A hj t : t is derivable => < <j); $ \-£ a <Z T 

[ 0;$ \= £ I < J 

3.2.4 Call-by-value vs. Call-by-name 

In d£PCF|\i, the syntax of terms and of indexes is the same as in diPCFv, but the language of types differs: 

A, B ::= a — o A | Nat [I, J]; linear types 
<7, t ::= [a < I] • A. modal types 

Modal types still represent duplicable terms, except that now not only values but any argument to functions 
can be duplicated. So modal types only occur in negative position in arrow types. In the same way, one can 
find them in the context of any typing judgement, 

<j>; (x\ : cti , . . . , x„ : a n ) h| t : A. 

When a term is typed, it is a priori not duplicable, and its type is linear. It is turned into a duplicable 
term when it holds the position of the argument in an application. As a consequence, the typing rule (App) 
becomes the most "expansive" one (for the weight) in cJ^PCFm : the whole context used to type the argument 
has to be duplicated, whereas in d^PCFv this duplication of context is "anticipated" in the typing rules for 
values. 

The readers who are familiar with linear logic, could have noted that, if we replace modal types by banged 
types, and we remove all annotations with indexes, then d^PCF|\i corresponds to the target fragment of the 
CBN translation from simply-typed A-calculus to LL, and d^PCFv to the target of the CBV translation [26] . 

In d£PCFN, the weight K of a typing judgement represents the maximal number of substitutions that 
may occur in the CBN evaluation of t. We do not detail the typing rules of cJ^PCFm here (they can be found 
in |12j). However an important remark is that in d£PCF[\i, just like in d^PCF v , some semantic judgements can 
be found in the axioms of a typing derivation, and that every typing rule is reversible (except subsumption). 
The type inference algorithm for d^PCFv that we present in Section [4] can be easily adapted to d^PCF^. 

3.3 Abstract Machines 

The evaluation of PCF terms can be simulated through an extension KAMpcf of Krivine's abstract ma- 
chine [23] (for CBN evaluation) or through an extension CEKpcf of the Felleisen and Friedman's CEK ma- 
chine [TS] (for CBV evaluation). 
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(tu;0 * tt > (t;0 * arg<u;0' 7r 

(Xx.t;£_) * arg(c) • 7r > (t ; (x <-* c) ■ * tt 

( fix x.t ; £) * tt > {(; (n->( fix x.t ; £ )) • £) * 7r 

< X ; O * 7T > £(x) * TT 

( if z i then u else s ; £ ) * tt > ( t ; £) * fork (u ; s ; ■ tt 

<0;O * fork<i; u; 0-tt > <t;0 * tt 

< n+l ; £') * fork<i ; u; • tt > (w,0 * ^ 

<s(t);0 * tt > <i;0 * s-7T 

<p(t);0 * tt > <t;0 * p-vr 

<n;£) * s • 7T > ( n+1 ) * tt 

<n;£) * p • 7r > ( n— 1 ) * 7r 



Figure 5: KAMpcf evaluation rules. 



Both these machines have states in the form of processes, that are pairs of a closure (i.e. a term with 
an environment defining its free variables) and a stack, representing the evaluation context. In the KAMpcf, 
these objects are given by the following grammar: 



Closures: c 

Environment: £ 

Stacks: tt 

Processes: P 



<*;£>; 

{xi >-»• Ci;- • • j Xfa ' * c fe }; 
o | arg(i ; O' 71 " | s ' n \ P ' 7r 
fork(i ; u ; £> • 7r; 



When the environment is empty, we may use the notation ( t ) instead of ( t ; ) for closures. The evaluation 
rules of the KAMpcf are given in Figure [5j The fourth evaluation rule is said to be an instantiation step: 
the value of a variable x is replaced by the term x maps to in the underlying environment £. 

The CEKpcf machine, which performs CBV evaluation, is slightly more complex: within closures, the 
value closures are those whose first component is a value: v := <(u; £) (remember that a value v is of the 
form n, Xx.t or fix x.t). Moreover, environments assign only value closures to variables: 

£ := {xi Vi;- • • ;xfc h-» v fc } . 

The grammar for stacks is the same, with one additional construction (fun(v) • tt) that is used to encapsulate 
a function (lambda abstraction or fixpoint) while its argument is computed. Indeed, the latter cannot be 
substituted for a variable if it is not a value. The evaluation rules for processes are the same than in Figure [5] 
except that the second and the third ones are replaced by the following: 

v * ar g( c ) ■ tt > c * fun(v) • TT 

v * fun( Xx.t ; £) • tt > (i; a; h>v() * tt 

v * fun( fix x.t; ■ tt > (t ; x i— ► ( fix x.t ;£)•£) * arg(v) • tt 

An example of the evaluation of a term in the CEKpcf machine has been shown in Figure [2j 

We say that a term t evaluates to u in an abstract machine when (t) * o>(u;£) * o. Observe that 
if t is a closed term then u is necessarily a value. We write t JJ,™ u whenever the KAMpcf evaluates t to u in 
exactly n steps, and t JJ,™ u when the same holds for the CEKpcf (we may also omit the exponent n when 
the number of steps is not relevant). 



Abstract Machines and Weight The weight of a typable term was informally presented as the number 
of instantiation steps in its evaluation. Abstract machines enable a more precise formulation of this idea: 

Fact 1 l.Ift JJ, u, and \- f t : A is derivable in (MPCFn, then [I] is an upper bound for the number of 
instantiation steps in the evaluation oft by the KAMpcf- 
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2. Ift J| v u, and hf t : [a < 1] • A is derivable in d^PCFy, 
steps in the evaluation oft in the CEKpcf- 



then is an upper bound for the instantiation 



This can be shown by extending the notion of weight and of typing judgement to stacks and processes [T2"lll3| . 
and is the main ingredients for proving Intensional Soundness (see Section 3.4 1. 



3.4 Key Properties 

In this section we briefly recall the main properties of d^PCF, arguing for its relevance as a methodology for 
complexity analysis. We give the results for d£PCFy, but they also hold for d^PCFN (all proofs can be found 

in P3H3]). 

The subject reduction property guaranties as usual that typing is correct with respect to term evaluation, 
but specifies also that the weight of a term cannot increase along reduction: 

Proposition 3.1 (Subject Reduction) For any PCF-terms t,u, if<p; $; \- f t : r is derivable in d£PCFv, 
and if t —* u in CBV 7 then (f>; \- ? u : t is also derivable for some J such that <f>; <I> |=g J ^ I . 

As a consequence, the weight does not tell us much about the number of reduction steps bringing a (typable) 
term to its normal form. So-called Intensional Soundness, on the other hand, allows to deduce some sensible 
information about the time complexity of evaluating a typable PCF program in an abstract machine from 
its d^PCF typing judgement. 

Proposition 3.2 (Intensional Soundness) For any term t, i/ h| t : Nat [I, J] is derivable in d£PCFv, 
then t evaluates to n in k steps in the CEKpcF; with Jl] £ ^ n ^ JJ] £ and k ^ \t\ ■ ([K] + 1) . 

Intensional Soundness guarantees that the evaluation of any program typable in d^PCF takes (at most) a 
number of steps directly proportional to both its syntactic size and its weight. A similar theorem holds when 

t has a functional type: if, as an example, the type of t is Nat[a] — ° Nat[J], then K is parametric on a and 
(\t\ + 2) ■ ([[K] £ + 1) is an upper bound on the complexity of evaluating t on any integer a. 

But is d^PCF powerful enough to type natural complexity bounded programs? Actually, it is as powerful 
as PCF itself, since any PCF type derivation can be turned into a d^PCF one (for an expressive enough 
equational program), as formalised by the type inference algorithm (Section|4|. We can make this statement 
even more precise for terms of base or first order type, provided two conditions are satisfied: 

• On the one hand, the equational program £ needs to be universal, meaning that every partial recursive 
function is representable by some index term. This can be guaranteed, as an example, by the presence 
of a universal program in £ . 

• On the other hand, all true statements in the form <j>\ $ |=g I ^ J must be "available" in the type system 
for completeness to hold. In other words, one cannot assume that those judgements are derived in a given 
(recursively enumerable) formal system, because this would violate Godel's Incompleteness Theorem. In 
fact, in diPCF completeness theorems are relative to an oracle for the truth of those assumptions, which 
is precisely what happens in Floyd-Hoare logics [5]. 

Proposition 3.3 (Relative Completeness) If £ is universal, then for any PCF term t, 

1. ift Jjy m, then h f t : Nat[m] is derivable in d^PCFy. 

2. if, for any neN, there exist k n , m n such that tn JJ.J 1 " m n , then there exist I and J such that 

a; 0; hf t : [b < 1] • (Nat [a] -o Nat [J]) 

is derivable in d^PCF v , with \=e J{zV a l = m n o-nd \=£ ^ k n for all n e N. 

The careful reader should have noticed that there is indeed a gap between the lower bound provided by 
completeness and the upper bound provided by soundness: this is indeed the reason why our complexity 
analysis is only meaningful in an asymptotic sense. Sometimes, however, programs with the same asymptotic 
behavior can indeed be distinguished, e.g. when their size is small relative to the constants in their weight. 
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In the next section, we will see how to make a concrete use of Relative Completeness. Indeed, we will 
describe an algorithm that, given a PCF term, returns a d£PCF judgement h| t : r for this term, where £ 
is equational program that is not universal, but expressive enough to derive the typing judgement. To cope 
with the "relative" part of the result (i.e., the very strong assumption that every true semantic judgement 
must be available), the algorithm also return a set of side conditions that have to be checked. These side 
conditions are in fact semantic judgements that act as axioms (of instances of the subsumption rule) in the 
typing derivation. 

4 Relative Type Inference 

Given on the one hand soundness and relative completeness of d£PCF, and on the other undecidability of 
complexity analysis for PCF programs, one may wonder whether looking for a type inference procedure makes 
sense at all. As stressed in the Introduction, we will not give a type inference algorithm per se, but rather 
reduce type inference to the problem of checking a set of inequalities modulo an equational program (see 
Figure [l). This is the reason why we can only claim type inference to be algorithmically solvable in a relative 
sense, i.e. assuming the existence of an oracle for proof obligations. 

Why is solving relative typo inference useful? Suppose you have a program t : Nat => Nat and you want 
to prove that it works in a number of steps bounded by a polynomial p : N — » N (e.g., p(x) = 4 • x + 7). You 
could of course proceed by building a d£PCF type derivation for t by hand, or even reason directly on the 
complexity of t. Relative type inference simplifies your life: it outputs an equational program £, a precise 

type derivation for t whose conclusion is a;0; h f t : Nat [a] — o Nat [J] and a set 1 of inequalities on the 
same signature as the one of £ . Your original problem, then, is reduced to verifying \= £ Iu{I^ p(d)}- This 
is arguably an easier problem than the original one: first of all, it has nothing to do with complexity analysis 
but is rather a problem about the value of arithmetical expressions. Secondly it only deals with first-order 
expressions. 

4.1 An Informal Account 

From the brief discussion in Section [2j it should be clear that devising a compositional type inference 
procedure for d^PCF is nontrivial: the type one assigns to a subterm heavily depends on the ways the rest 
of the program uses the subterm. The solution we adopt here consists in allowing the algorithm to return 
partially unspecified equational programs: £ as produced in output by T gives meaning to all the symbols 
in the output type derivation except those occurring in negative position in its conclusion. 

To better understand how the type inference algorithm works, let us consider the following term t: 

uv = {\x.\y.x{xy)){\z.s{z)). 

The subterm u can be given type (Nat => Nat) => Nat => Nat in PCF, while v has type Nat => Nat. This 
means t as a whole has type Nat => Nat and computes the function x >— ► 2 • x. The type inference algorithm 
proceeds by giving types to u and to v separately, then assembling the two into one. Suppose we start with v. 

b<h(a) 

The type inference algorithm refines Nat => Nat into a = Nat[f(a, b)] — o Nat[g(a, b)] and the equational 
program A v , which gives meaning to g in terms of f: 

g(a,b) =f(o,6) + l. 

Observe how both f and h are not specified in A v , because they appear in negative position in a: f(a, b) 
intuitively corresponds to the argument (s) v will be applied to, while h(a) is the number of times v will be 
used. Notice that everything is parametrised on a, which is something like a global parameter that will later 
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be set as the input to t. The function ii, on the other hand, is given type 

c<j(a,fc) 

(Nat[p(a, 6, c)] — o Nat[q(a,6,c)]) 

6<k(a) 
c<m(a,b) 

Nat[l(a, 6, c)] — o' Nat[n(a, 6, c)]. 

The newly introduced function symbols are subject to the following equations: 

j(a,b) = 2 • m(a,b); 
n(a, 6, c) = q(a, &, 2c); 
p(a, 6, 2c) = q(a, 6, 2c + 1); 
p(a,6,2c + 1) = \{a,b,2c). 

Again, notice that some functions are left unspecified, namely 1, m, q and k. Now, a type for uv can be 
found by just combining the types for u and v, somehow following the typing rule for applications. First 
of all, the number of times u needs to be copied is set to 1 by the equation k(a) = 1. Then, the matching 
symbols of u and v are denned one in terms of the others: 

q(a,0,6) = g(a,6); 
i(a,b) = p(a,0,6); 
h(a) =j(a,0). 

This is the last step of type inference, so it is safe to stipulate that m(o, 0) = 1 and that l(a, 0, c) = a, thus 
obtaining a fully specified equational program £ and the following type r for t: 

C<1 

Nat [a] — o Nat[n(a,0, c)]. 

As an exercise, the reader can verify that the equational program above allows to verify that n(a, 0, 0) = a+2, 
and that 

a;0;0 hf t : t. 

4.2 Preliminaries 

Before embarking on the description of the type inference algorithms, some preliminary concepts and ideas 
need to be introduced, and are the topic of this section. 

4.2.1 Getting Rid of Subsumption 

The type inference algorithm takes in input a PCF term i, and returns a typing judgement J for t, together 
with a set 3% of so-called side conditions. We will show below that J is derivable iff all the side conditions in 



are valid. Moreover, in this case J is precise (see Definition 3.1 ): all occurrences of the base type Nat [I, J] 
are in fact of the form Nat [I], and the weight and all potentials H occurring in a sub-type [a < H] • A are 
kept as low as possible. Concretely, this means that there is a derivation for J in which the subsumption 
rule is restricted to the following form: 





0;$ \- £ A = 


r 




4>- $ \-£ a = 


r 


^;$ ; r hf t : g 


0;$ Nf I = 


J 



</>;$; A Mf t : r 

The three premises on the right boil down to a set of semantic judgements of the form {</>; $ \=g Ki = H.;} 
(see Figure [3]), where the Kj's are indexes occurring in a or A (or I itself) and the H^s occur in r or T (or 
are J itself). If the equalities = can all be derived from £, then the three premises on the right are 
equivalent to the conjunction (on i) of the following properties: 
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"[HjH is defined for any p : cf> — » N satisfying $" 



(see Section 3.1.2). Given £ , this property (called a side condition) is denoted by <fi; $ |= Hj J,. Actually the 
type inference algorithm does not verify any semantic or subtyping judgement coming from (instances of) 
the subsumption rule. Instead, it turns all index equivalences Hj = Kj into rewriting rules in £ , and put all 
side conditions <f>; $ 1= Hj J. in M. If every side condition in S% is true for £ , we write £ lh f\3%. Informally, 
this means that all subsumptions assumed by the algorithm are indeed valid. 



4.2.2 Function Symbols 

Types and judgements manipulated by our type inference algorithm have a very peculiar shape. In particular, 
not every index term is allowed to appear in types, and this property will be crucial when showing soundness 
and completeness of the algorithm itself: 

Definition 4.1 (Primitive Types) A type is primitive for <f) when it is on the form Nat[f(0)] ; or A —o B 
with A and B primitive for <p, or [a < f(0)] • A with a $ <f> and A primitive for a; <fr. A type is said to be 
primitive when it is primitive for some (j>. 

c<g(a,6) 

As an example, a primitive type for <p = a; b is Nat[f (a, b, c)] — o Nat[h(a, b, c)]. Informally, then, a type 
is primitive when the only allowed index terms are function symbols (with the appropriate arity). 



4.2.3 Equational Programs 

The equational program our algorithm constructs is in fact a rewriting program: every equality corresponds 
to the (partial) definition of a function symbol, and we may write it f(<xi, . . . , a,k) '•— J (where all free variables 
of J are in {ai, . . . , a*,}). If there is no such equation in the rewriting program, we say that f is unspecified. 

An equational program £ is completely specified if it allows to deduce a precise semantic (namely a partial 
recursive function) for each symbol of its underlying signature (written Eg), i.e. none of the symbols in Eg are 
unspecified. In other words: a completely specified equational programs has only one model. On the other 
hand, a partially specified equational program (i.e. a program where symbols can possibly be unspecified) can 
have many models, because partial recursive functions can be assigned to function symbols in many different 
ways, all of them consistent with its equations. Up to now, we only worked with completely specified 
programs, but allowing the possibility to have unspecified symbols is crucial for being able to describe the 
type inference algorithm in a simple way. In the following, £ and T denote completely specified equational 
programs, while A and B denote rewriting programs that are only partially specified. 

Definition 4.2 (Model of a Rewriting Program) An interpretation p of A in £ is simply a map from 
unspecified symbols of A to indexes on the signature Eg, such that if f has arity n, then p(i) is a term in 
Yi£ with free variables from {ai, . . . , a„}. When such an interpretation is defined, we say that £ is a model 
of A, and we write p : £ \= A. 

Notice that such an interpretation can naturally be extended to arbitrary index terms on the signature E^, 
and we assume in the following that a rewriting program and its model have disjoint signatures. 

Definition 4.3 (Validity in a Model) Given p : £ \= A, we say that a semantic judgement cf>; $ 
I ^ J is valid in the model (notation: </>;<!> |= M I ^ J) when </>;<!> \=jr I ^ J where T = A u £ u {f := 
| f is unspecified in A}. This definition is naturally extended to side conditions (with p\\- f\3# standing 
forT\rl\@). 

Please note that if A is a completely specified rewriting program, then any model (j, : £ j= A has an 
interpretation p with an empty domain, and jl* II — /\& iff A lh [\3% (still assuming that E_4 and E^ are 
disjoint). Now, suppose that p : £ \= A and that the index terms I (from Ef) and J (from E^) are such 
that 4>; $ \=£ I < p(J)- Then, with a slight abuse of notation, we simply write (f>; $ N M I < J. The same 
notation can be extended to types and judgements. 
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As already mentioned, the equational programs handled by our type inference algorithm are not necessar- 
ily completely specified. Function symbols which are not specified are precisely those occurring in "negative 
position" in the judgement produced in output. This invariant will be very useful and is captured by the 
following definition: 

Definition 4.4 (Positive and Negative Symbols) Given a primitive type t, the sets of its positive and 
negative symbols (denoted by t + and t~ respectively) are defined inductively by 

Nat[i(0)]+ = {i}; Nat[i(0)]- = 0; 

[a < h((j>)] • (<r — o t) + ; = er~ u r+; [a < h(</>)] • {a — o t)~ ; = {h}ucr + UT~. 

Then the set of positive (resp. negative) symbols of a judgement (xi : cr i ) i ^ n |— f t : t is the union of 
all negative (resp. positive) symbols of the o~i's and all positive (resp. negative) symbols of r . 

Polarities in { + , — } are indicated with symbols like p, q. Given such a p, the opposite polarity is —>p. 

Definition 4.5 (Specified Symbols, Types and Judgments) Given a set of function symbols S , a sym- 
bol f is said to be (<S, „4)-specified when there is a rule f(0) := J in A such that any function symbol ap- 
pearing in J is either f itself, or in S, or a symbol that is (S u {f}, .A\{f (</>) := J}) -specified. Remember that 
when there is no rule f(0) := 3 in A the symbol f is unspecified in A. A primitive type a is said to be 
(p,S, A) -specified when all function symbols in a v are [S, A) -specified and all symbols in a^ v are unspec- 
ified. A judgement (f>; <£>; T \- J 4 t : r is correctly specified when r and all types in T are primitive for <j>, 
and t is (+, Af , A) -specified, and all types in T are (— ,A/", A) -specified, and all function symbols in 1 are 
(Af, A) -specified where Af is the set of negative symbols of the judgement. 

In other words, a judgement is correctly specified if the underlying equational program (possibly recursively) 
defines all symbols in positive position depending on those in negative position. 

4.3 The Structure of the Algorithm 

The type inference algorithm that we develop here receives in input a PCF term t and returns a d£PCF 
judgement hf; t : r for it, together with a set of side conditions 3%. We will prove that it is correct, in the 
sense that the typing judgement is derivable iff the side conditions hold. The algorithm proceeds as follows: 

1. Compute dpcF, a PCF type derivation for t; 

2. Proceeding by structural induction on dpcF, construct a d£PCF derivation for t (call it d v ) and the 
corresponding set of side conditions 3%; 

3. Returns ^ and the conclusion of d v . 

The skeleton ([cr]) (or ([^4])) of a modal type a (resp. of a linear type A) is obtained by erasing all its 
indexes (and its bounds [a < I]). The skeleton of a d£PCF derivation is obtained by replacing each type by 
its skeleton, and erasing all the subsumption rules. In PCF the type inference problem is decidable, and the 
Step[T] raises no difficulty: actually, one could even assume that the type dpcF attributes to t is principal. 
The core of the algorithm is of course Step [2] In Section. |4.5| we will define a recursive algorithm GEN that 
build d v and 3% by annotating dpcF- The algorithm gen itself relies on some auxiliary algorithms, which will 
be described in Section li~4l below. 

All auxiliary algorithms we will talk about have the ability to generate fresh variables and function 
symbols. Strictly speaking, then, they should take a counter (or anything similar) as a parameter, but we 
elide this for the sake of simplicity. Also we consider that we assume the existence of a function a((j>; T) 
that, given a set of index variables <f> and a PCF type T, returns a modal type r primitive for </>, containing 
only fresh function symbols, and such that flY]) = T. 

4.4 Auxiliary Algorithms and Linear Logic 

The design of systems of linear dependent types such as d^PCFy and d^PCFu is strongly inspired by BLL, 
itself a restriction of linear logic. Actually, the best way to present the type inference algorithm consists in 
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first of all introducing four auxiliary algorithms, each corresponding to a principle regulating the behaviour 
of the exponential connectives in linear logic. Notice that these auxiliary algorithms are the main ingredients 
of both d^PCFy and dfPCFu type inference. Consistently to what we have done so far, we will prove and 
explain them with d£PCFv in mind. All the auxiliary algorithm we will talk about in this section will take a 
tuple of d^PCFy types as first argument; we assume that all of them have the same skeleton and, moreover, 
that all index terms appearing in them are pairwise distinct. 

Dereliction. Dereliction is the following principle: any duplicable object (say, of type \A) can be made 
linear (of type A), that is to say \A — » A. In d^PCF, being duplicable means having a modal type, which 
also contains some quantitative information, namely how many times the object can be duplicated, at most. 
In d£PCF, dereliction can be simply seen as the principle [a < 1] • A — > A{Q/a}, and is implicitly used in the 
rules (App) and (Fix). Along the type inference process, as a consequence, we often need to create "fresh 
instances" of dereliction in the form of pairs of types being in the correct semantic relation. This is indeed 
possible: 

Lemma 4.1 There is an algorithm der such that given two types r (primitive for <fr) and a (primitive 
fora,4>) of the same skeleton, DER((cr, r); a; <p; = (A,&) where: 

1. for every £ 2 A, if£\\-/\& then <p; $ \- e er{0/a} = t; 

2. whenever 0; $ \~e 0{O/a} = £ where ([g]) = ([a]), there is \i : £ \= A such that (f>; $ a = Q, 
0;$ h M t = i, and fj, lh 

3. g is (p,r p , A) -specified and r is (^p 7 a^ p , A) -specified. 

Proof. The algorithm DER is defined by recursion on the structure of a: 

• Here are two base cases: 

DER((Nat[f (a, 4>)l Nat[g(0)]); a; <f>; $; +) = ({g(<f>) := f (0, </>)}, {0, $ |= f (0, 0) J}) 
DER((Nat[f (a, <f>)], Nat[g(0)]); a; 0; $; -) = ({f (a, <f) ■= g(0}, {0, * h g(^) I}) 

• Inductive cases are slightly more difficult: 

(^u^ + u{g(^) :=f(0»}, 

«ru* 2 + u^,$hf(o,«i}); 

(Af vA£ v{i(a,<j>) :=g(#)}, 

where: 

der((cti, ti); a; b, (f>; 6 < f (0, 0); +) 

der((o-i,ti); a; 6, g(<£);-) 
der((<t 2 , r 2 ); a; 6, 0; b < f (0, 0); +) 

der((ct 2 , r 2 ); a; 6, </>;$,&< g(0); -) 

Let us now prove the Lemma by induction on the structure of a: 

• If a = Nat[f(0, 0], then the thesis can be easily reached; 

b<i(a,(j>) b<g(4>) 

• Suppose that a = a\ — o er 2 and that r = n — o r 2 . For simplicity, suppose that p = + (the case 
p = — is analogous) : 

1. If £ 2 .4, then £ 2 -4^ and £ 2 -4 2 . Moreover, if £ lh tncn > of course £ lh A^T and 

£ lh ■ As a consequence, by induction hypothesis, we have 

<j),b;<P,b < g((f>) hf(Ti{0/a} = n; 
0, 6; $, 6 < f(a, 0) hf cr 2 {0/a} = r 2 . 



6<f(a,0) b<g(0) 

der((cti -o ct 2 ,ti -o T 2 );a;0;*;+) 



6<f(a,0) b<g(0) 

DER((ai -o a 2 ,ri -o T 2 );a;0;$;-) 



— (A 1 , ) ; 
= (-4+,<); 
= (A2 ,^2)' 

= (Ao,Mo). 
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From 4>; $ \=g f (0, (p) J, it follows that </>; $ |=£ g(</>) = f (0, <f>). As a consequence, 

0; $ h £ cr = r. 

2. If 0; $ g{0/a} = £ where ([e>]) = ([cr]), we can safely assume that 



fc<i 

Q = Ql -° Q2 

£ = Si - 6 



and moreover, that 



0, l{0/a} h £ Qi{0/a} = fi{0/a}; 

0,6; $,6 < J h £ £> 2 = 6; 

0; $ N £ I{0/a} = J. 

Assume for the sake of simplicity that p = +. Then, from the two judgements above, one obtains: 

<j>, b; $, b < f(0, 4>) r-£u{f(a,^):=i} 0i{O/a} = £i{0/a} 
<j>, b;$,b < g(» l-£: w { g (0): = j} £> 2 = 6 

By induction hypothesis, there are fii : {£ u {f(a, 0) := I}) |= .47/ an d A* 2 : (£ u {g(</0 : = J}) H -^2 
such that 

0, 6; b < f(0, 0) r-£ U {f( ,^):=i} oi{0/a} = £>i{0/a}; 
0, 6; $, 6 < f(0, 0) h£u{f(a,0:=I) Ti{0/o} s ^{0/a}; 

0, 6; $, 6 < g(0) h £u{g (0) := j } cr 2 s p 2 ; 

0, 6; $, 6 < g(</>) h £u{g (0) := j} r 2 = £ 2 - 

and (Lti !h and ^ 2 lh f\S$t ■ By way of the push-out technique, we get e\ : £ (= .47/ and 

e 2 : £ |= ^4+ such that ei lh A^T > an< ^ e 2 II" f\^t ■ Now, is defined as /ii u/z 2 , plus the assignment 
of I (after some a-renaming) to f. First of all, notice that /z lh /\ M, simply because <f>\ $ \=£ l{0/a} J,. 
Moreover, observe that, by easy manipulations of the derivations above, one gets: 

0,6;$,6 < l{0/a} h„ a x {Q/a) = ft{0/a}; 
0, 6; $, 6 < l{0/a} h, t n{0/a} = £i{0/a}; 

0, < J hp cr 2 s £ 2 ; 

(t>,b;$,b < J hp r 2 = £ 2 - 

3. This is an easy consequence of how cr and r are built. 
This concludes the proof. □ 

The algorithm der works by recursion on the PCF type ([cr]) and has thus linear complexity in |([cr])|. 

Contraction. Another key principle in linear logic is contraction, according to which two copies of a 
duplicable object can actually be produced, I A —>IA®\A. Contraction is used in binary rules like (App) or 
(//), in the form of the operator tb. This time, we need an algorithm CTR which takes three linear types 
A, B and C (all of them primitive for (a, 4>)) and turn them into an equational program and a set of side 
conditions: 

cjtr((A, B, C); (I, J); a; 0; $;p) = (A,X). 

The parameters I and J are index terms capturing the number of times B and C can be copied. A Lemma 
akin to 4.1 can indeed be proved about CTR. 
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Lemma 4.2 There is an algorithm CTR such that whenever B and C are two linear types of the same 
skeleton and primitive for (a,<p), CTR((B, C, I); (J, a); 4>; 3>;p; =)(A, A,&), where: 

• A is primitive for a, (j), and (pi]) = ([£?]) = ([C]); 

• For any £ 3 A, £ Ih l\M iff 

<t>; $ \-s [a < I + J] • A = ([a < I] • B') tu ([a < J] ■ C") 

/or some £?' and C" sucft £/iaf < I B' = B and </>; a < J hf C" = C. 

• A is (p, B p u C p , A) -specified, and B and C are (—>p, A~" p , A) -specified. 

Digging. In linear logic, any duplicable object having type I A can be turned into an object of type UA, 
namely an object which is the duplicable version of a duplicable object. Digging is the principle according 
to which this transformation is possible, namely I A — A\A. At the quantitative level, this corresponds to 
splitting a bounded sum into its summands. This is used in the typing rules for functions, (— °) and (Fix). 

The auxiliary algorithm corresponding to the digging principle takes two linear types and builds, as usual, 
a rewriting program and a set of side conditions capturing the fact that the first of the two types is the 
bounded sum of the second: 

DiG((A,fl);(i,J);0;(a,&);S;p) = {AM). 

The correctness of DIG can again be proved similarly to what we did in Lemma |4~T) the key statement being 
that for every £ 2 A such that £ Ih /\ the following must hold 

$ h £ [b < ^ J] • A = ^ [6 < J] • C 

a<I a<I 

for some C such that <fi; $, a < I, b < J h£ C = B. 

Lemma 4.3 There is an algorithm dig such that for any linear type B primitive for (a, b, 4>), 
DIG((S,I);(J,0);a;(6,$);p; )= (A,A,&), where: 

• A is primitive for b, <f>, and ([A]) = ([£?]) ; 

• for any £ A, £ \r f\M iff 

0; $ h £ [b < ^ J] • A ee ^ [6 < J] • B' 

a<\ a<I 

for some B' such that 4>; 3>, a < I, b < J \~s B' = B: 

• A is (p, B p , A) -specified and B is (—>p, A~" p , A) -specified. 

Weakening. Weakening means that duplicable objects can also be erased, even when the underlying index 
is 0. Weakening is useful in the rules (Ax) and (n). Once a fresh d^PCFy type A is produced, the only 
thing we need to do is to produce an equational program A specifying (in an arbitrary way) the symbols in 
A p , this way preserving the crucial invariants about the equational programs manipulated by the algorithm. 
Formally, it means that there is an algorithm weak such that 

WEAK(A; <j); a;p) = A, 

where A is (p, 0, >4)-specified 

Lemma 4.4 There is an algorithm weak such that weak(T; <fi; a;p) = (^4,-4) where, 

• A is primitive for a; <f>, and (]yl]) = T; 

• for every £ 3 A, it holds that (f>; $, a < |— s A = A; 

• A is (p, , A) -specified. 

Observe how no sets of constraints is produced in output by weak, contrarily to DER and CTR. 
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Some Extra Functions. There are also some extra auxiliary algorithms that are used by the function gen. 
Although they are not related to some exponential rule of LL, they are defined in a similar way than the 
previous one. 

The following lemma is used for type checking the (Ax) rule: 

Lemma 4.5 There is an algorithm EQ such that, given two types a and r primitive for <j> and of same 
skeleton, eq((t; a); (f>; $;p) = (A;&) where, 

• for every £ 3 A, £ \\- 0; $ \-£ r = a; 

• r is (p, a^ p , A) -specified and a is (—*p, t p , A) -specified. 

We also need a generalisation of the dereliction algorithm, where any index I can be used instead of 
in DER. It is necessary for type checking a fix point. 

Lemma 4.6 There is an algorithm SUBS such that, for any type r primitive for (f> and a primitive for ((f), a) 
that have the same skeleton, SUBS((cr, r); a; I; (f>; 3>;p) = (A,M) where, 

• for any £ 2 A, £ lh /\Stf, (j>; $ he <j{l/a} = t; 

• a is (p,r p , A) -specified and r is (~^p,o~^ p , A) -specified. 

The following lemma is needed to type check the (If) rule. It requires to use a function symbol if (a, b, c) 
with two equations: if (0, b,c) = b and if (a + 1, b, c) = c. 

Lemma 4.7 There is an algorithm fork such that for any types t\,t% with the same skeleton, that are 
primitive for <j>, 

fork(ti;t 2 ; I; <f>;3> ;p) = (a,A,M) where, 

• a is primitive for (a, <p), and ([a]) = fl/r^]); 

• For any equational program £ 2 A, £ \\- f\tM iff 
ef>; I = he n = o- and 4>; I > 1 he r 2 = a; 

• a is (p,r p u t p , A) -specified, and t± and r 2 are (-^p,a^ p , A) -specified. 



4.5 The Type Inference Procedure 

In this section, we will describe the core of our type inference algorithm. This consists in a recursive algorithm 
GEN which decorates a PCF type derivation dpcF, producing in output a d^PCF judgement, together with an 
equational program and a set of side conditions. In order to correctly create fresh symbols and to format 
side conditions properly, the main recursive function gen also receives a set of index variables <fi and a set 
of constraints $ in input. Thus, it has the following signature: 

GEN(0,$,d PCF ) = (T^t-.r-A^M). 

We will prove that the the output of gen satisfies the following two invariants: 
• Decoration, ([r]) h t : flY]) is the judgement concluding c?pcf- 



• Polarity. (f>; $;T h J 4 t : r is correctly specified (Definition 4.5). 
The algorithm GEN proceeds by inspecting dpcF in an inductive manner. It first annotates the types in the 
conclusion judgement with fresh function symbols to get a d^PCF judgement J . Then a recursive call is 
performed on the immediate sub-derivations of dpcF, this way obtaining some d^PCF typing judgement Ji. 
Finally GEN generates, calling the auxiliary algorithms, the equations on function symbols that allow to 
derive J from the J7i's, The equations are written in A, and the required assumptions of index convergence 
in M. 

Decoration and Polarity are the invariants of the algorithm GEN. In particular, the auxiliary algorithms 
are always called with the appropriate parameters, this way enforcing Polarity. 
The algorithm computing gen proceeds by case analysis on dpcF- 

• Assume dp CF = =— -(Ax) . 

yi : t/i, . . . ,y k : U k ,x : T h x : T 

For each i, let Bi = a(4>\ Ui) and Ai = WEAK(i?i; <fi; bi; —) (where all the bi's are fresh). Then let a and r 
produced by a(<j>; T), and write (Aq\£%) = EQ((t; a); </>; +). Thus return (r, x : a ho x : t;A\M) with 
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A = Ao u Ui<fc(-^ u ( h * := °)) 
L = { yi : [bi < hi] ■ Bi}i^ k 
where the hj's are fresh. 

Suppose dpcF = 77 77 (n) . 

Vi ■ U u ...,y k : U k hn:Nat v ; 

Again, let Bi = a(<fi; Uj) and Ai = WEAK(i3i; 0; bi\ — ) . Let \((f) be a fresh function symbol. Then return 
(r ho n : Nat[i(0)]; A; 0) where the hj's are fresh symbols and 

A = \J(Ai u {hi(4) := 0}) u { i(0) := n }; 

L = : [6i < hi (</>)] • Bi}^. 



(rf' pcF ) : n h t : Nat 

It (IpCF = 77 7^ (SI ■ 

n h s(t) : Nat w 

Let (L h-K t : Nat[j(0)]; A ; M) = GEN(d' PCF , (f>, $), and let i(</>) be a fresh symbol. Then return (L |-k 
s(t) : Nat[i(0)];^;^) where .4 = A u { i(0) :=j(<£) + 1 }. 

For the typing rule (p), we do the same as previously but with \(<fi) = j(^>) — 1 instead of i(</>) = j(</>) + 1 
in the equational program. 

(rfpcFo) : II h t : Nat (d PC Fi) : H \- Ui : T (d PCF2 ) : U h u 2 : T 

It c(pcf= (If) , 

II h if z i then Ui else u 2 : T 

let (r h K i : Nat [j ((/.)]; A; ^o) = GEN(d PC Fo,0, and (A, h Hl : Tj;A;<^) = GEN(d PC Fi, </>, $i) 

(for i = 1,2), with $i = ($,j(</>) = 0) and $ 2 = ($,j(</>) 5* !)• n and t 2 both have skeleton T and 

are primitive for <f> (since Decoration and Polarity hold by induction hypothesis). So we can compute 

(t';A';M') = FORK(r i; T 2 ;j(0);0;$;+). 

In the same way, Ai and A 2 have the same skeleton II. So for each (t/j : <7j) in Ai there is (yi : a[) 
in A 2 so that we can compute (a" , A\, 3%'^) = FORK(crj; <7j; j(^); (j); 3>; — ). Let A = { yi : of} and write 
[ai < mi] ■ Ci = <r" . A also has skeleton LI, and so has T. So for each i, there is some variable declaration 
yi : [ai < ni] • Bi in T, so that we can compute (Ai, A", = CTR((i?j, Ci, nj); (irij, a,i);<p; $; — ;). 
Then let hj(^>) be a fresh symbol for each i, and return (L' |-k+h ifz i then u\ else u 2 : t';A]&) 
where 

A = Ao v Ai v A2 v A' v { \(4>) ■= ^ + mi }i 

uUi(^^^') 
r = {y, : [a, < hj(0)] • 
H = if(j(0),H!,H 2 ) 

If dpCF = 

4cf : II h t : £7 => T 4cf ^htcf/ 
n h t u : T 

let (Li h-K i : [a < t (</>)] ■ (01 -° (J 2 );Ai]3ii) = GEn(0; $; d PC Fi), and (L 2 h H u : t; 4 2 ; ^2) = 
GEN((/j; dpcF 2 )- Let (B,y) = DER((«ti, t); a; 0; +). We then annotate T: let t 2 = a((j>;T), and let 
(C,^) = der((ct 2 , r 2 ); a; 0; $; — ). Then we build a context equivalent to T x w T 2 : for any y : [b y < 
i y ((f>)] ■ By in Li, there is some y : [b y < j y ((f))] ■ C y in L 2 (possibly after some a-conversion) . Then let 
A y = a((b y ,(f>);([By])), and (A v ;& v ) = CTR((A y , B y , C y ); (i„ (</>), j y ((/>)); b v ; <j>; $; -). There are A, = T t 
(for i = 1,2) such that <p; $ hs {y ■ [b v < i y ((fi) + j y (<fi)] ■ A y } y = Ai w A 2 , for every £ 2 (J y such that 
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£ lh /\(U y 3$y)- Thus let hy's be fresh symbols and return (A h k+h tu : t-z\A\3£) with 

u(J(^,u{0;$Ni,(0)+j !/ (0) U); 

y 

^ = Aui 2 uBuCu {f(0) := 1} 

u|J u {h„(0) := iv(^) +j„(0)}); 
2/ 

A = {y:[6 y <h J/ (0)]-A J/ } I/ . 



Assume that dpcF is 



d' PCF : II, a; : Z7 h t : T 
n h Xx.t :U^T 



Let a be a fresh index variable, and i(0) be a fresh function symbol, and compute (T,x : cr |— k t 
t;B;^) = GEN(dp CF , (a, (ft), (a < i(0),$)). We build a context equivalent to Xi a <i(0) ^ : f° r ever y 2/ 
[by < j y (a,(j))] ■ By 6 F, let Ay = a ( ( 6 y , </>) ; ([.B^ ]) ) , let h a (0) be a fresh symbol, and write (A y ,ffl v ) = 
DIG ((Ay, By); (i(</>), j y (a, 4>));<j>; (a, b y ); -). Then return 

(A h i(0)+Sa<i( ^ K Xx.t : [a < i(0)] • {a -o r)M;#) 

where 

« = ^uL)(*yu{^;*l=£ 2 j„(a,0) i}); 

a a<i(0) 

A = Bvj u y (Ay u {hj,(^) := ^ J2/( a ^)}); 

a<i(0) 

A = { 2 /:[6j / <h J/ (0)]-A 3/ } 1/ . 



If dpCF = (Fix) . 

II h fix x.t : T 

Let & be a fresh index variable, and h(</>) be a fresh function symbol, and compute (r, x : [a < i(6, 4>)] -A \— j 
t : [a < m(&, (j))] ■ B\A';M') = GEn(c?' pcf , (b, <p), (b < h(0),<&)) (up to a-conversion we can assume that 
the index variable a is the same in the context and the type) . Because of the type equations we have to 
ensure (namely (a, 6, <t>);(a< i(b, <t>),b < h(</>), $) \- £ B{0/a}{l + b + @ b b +1 ' a i(b, <p)/b} = A), we will use 
intermediate types. 

First we annotate T: let a = a(b,<fi;T). Up to a-conversion, a = [a < 1(6,0)] • C for some C. Let 



(Ai,&i) = der((B, C); a; (&, 0); b < h(</>), $; -). By Lemma |4.l[ C is ( + , £?+, .4i)-specified and B is 
(— , C~, Ai)-specified, and for any £ 2 Ai, 

E\V l\M x <^=> 6,0;6<h(0),$h £ B{0/a} = C . 

Now let {A 2 ,M 2 ) = SUBS((C,A);6;1 + b + @^ +1 ' a i(6»; (a, 6, 0); a < i(6»,6 < h(<f>), -). By 
Lemma 4.6 A is (+, C + , y^-specified and C is (— , A~ , y^-specified, and for any £ 2 A2, £ lh A ^2 iff 

6+1, a 

a, 6, 0; a < i(&, 0), 6 < h(0), $ h £ C{1 + & + @ i(6, <£)/&} = A . 

b 

Here 
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Hence £\ u £2 is positively denned for A and negatively for B, and £\ u £2 2 J 7 1= (^1,^2) implies 
a, 6,0; a < \{b,<j>),b < h(0),$ B{0/a}{l + 6+ @ </>)/&} = A 

6 



Again we annotate T: let r = a(0;T). Up to a-conversion, r = [a < k(0)] • D for some £>. Let 
(£3,^3) = SUBS((C,r>);&;@°' a i(6,0);( a ,r/ 
negatively for A, and if £3 c J" |= ^ 3 then 



(£3,^3) = SUBS((C, D); b; @°' a i(6, 0); (a, 0); (a < k, $);-). Then £3 is positively specified for Z? and 



0,0 

a,0;a < k, $ Hf C*{@i(6, </>)/&} = L>. 

b 



Hence £1 u £2 u £3 is positively dehned for D and negatively for _B, and for any J- 2 £1 u £2 u £3, 
T N (^1,^2,^3) implies a, 0; a < k, @°' a i(o, 0) < h(<£),$ S{0/a}{@^ Q i(6, 0)/6} = D. Hence for 
any J" 2 £1 u£ 2 u£ 3 u {h(0) = @°' k(0) i(6, 0)} such that T N (^1,^2,^3) and <j>; $ @"' k(0) i(b, <f) \, 



0,a 

0;$ hjr [a < k] • B{0/a}{(S)i(6»/6} = [a < k] • D. 

b 

To deal with the context, we proceed as for (~-°): for every y : [b y < J y ] ■ B y e T, let (A y ,£ y ,M y ) = 
DlG((iL, h(0)); (J y) (f>); b; (b y) $); — ;). By Lemma 4.3 £ y is positively specified for B y and negatively 
for A y , and £ y ^ F \= 3£ y implies 

b<h(0) b<h(0) 

for some £^ such that (/>;$,& < h(4>),b y < J y I-jf B' = B y . Let \{4>) be a fresh symbol, and write 
£' y = £, u {1,(0) = L b<h(0) J,} and ^ = ^ u {0; $ N E 6 <i (0) J» U- 
Finally we return (d y ,3$) where 

St = fuf!uf 2 uf3u{PN @°' k(0) i(b, <j>) 1} u Uj,^; 



sO,k(0) . 



£ = £' u £1 u £ 2 u £3 u {h(0) = @™ i(6, 0)} u U y ^ 
A = {y:[5 tf <l 1 ,(0)]-i4 1 ,} 1( 

Lemma 4.8 For every cj>, <!>, and every PCF derivation dpcF, GEN(0; $; dper) is well defined on the form 
(r I — 1 1 : T]A]3%), and satisfies Decoration and Polarity. 



4.6 Correctness 

The algorithm we have just finished describing needs to be proved sound and complete with respect to 
d^PCFy typing. As usual, this is not a trivial task. Moreover, linear dependent types have a semantic nature 
which makes the task of formulating (if not proving) the desired results even more challenging. 



4.6.1 Soundness 

A type inference procedure is sound when the inferred type can actually be derived by way of the type system 
at hand. As already remarked, GEN outputs an equational program A which possibly contains unspecified 
symbols and which, as a consequence, cannot be exploited in typing. Moreover, the role of the set of proof 
obligations in Mis maybe not clear at first. Actually, soundness holds for every completely specified £ 2 A 
which makes the proof obligations in & true: 
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Theorem 4.9 (Soundness) If dpcF is a PCF derivation for t, then for any <f> and 4>, GEN(<^>; dpcF) = 
(r |— 1 1 : t; A; Si) where (j>; $; T hj 4 t : t is correctly specified and for any £ 2 A, 

t is derivable and precise. 

4.6.2 Completeness 

But are we sure that at least one type derivation can be built from the outcome of GEN if one such type 
derivation exists? Again, it is nontrivial to formulate the fact that this is actually the case. 

Theorem 4.10 (Completeness) If (f>; A hj t : a is a precise dfPCFy judgement derivable with d v , then 
GEN(0; ([d v ])) is of the form (T hi t : r; A; Si), and there is fj, : £ \= A such that [i Ih f\ Si. 



A direct consequence of soundness and completeness (and the remark on Definition 4.3 ) is the following: 
Corollary 4.11 If a closed term t is typable in PCF with type Nat and a derivation dpcF, then 

GEN(0;0;dpcF) = (hi t : Nat[f]; £ ;M) 
and t is typable in d^PCFy iff £ Ih l\Si. 

5 Type Inference at Work 

The type inference algorithm presented in the previous section has been implemented in OCAMlj^] Programs, 
types, equational programs and side conditions become values of appropriately defined inductive data struc- 
tures in Ocaml, and the functional nature of the latter makes the implementation effort easier. This section 
is devoted to discussing the main issues we have faced along the process, which is still ongoing. 

The core of our implementation is an Ocaml function called CheckBound. Taking a closed term t having 
PCF type T in input, CheckBound returns a typing derivation d v , an equational program £ and a set of side 
conditions Si. The conclusion of d v is a d^PCF typing judgement for the input term. If T is a first-order 



type, then the produced judgement is derivable iff all the side conditions in Sff, are valid (see Corollary 4.11 1. 
To do so, CheckBound calls (an implementation of) GEN on t and a context <ft consisting of n unconstrained 
index variables, where n is the arity of t. This way, CheckBound obtains A and Si. as results, and then 
proceeds as follows: 

• If T is Nat, then A is already completely specified and Corollary |4. 1 1| ensures that we already have what 
we need. 

• If T has a strictly positive arity, then some of the symbols in A are unspecified, and appropriate equations 
for them need to be added to A. Take for instance a term s of type Nat => Nat. CheckBound(s) returns A, 
Si, and a typing judgement on the form 

a- h£ t : Nat[g(a, b)] Nat[j(a, &)], 

where j is a positive symbol while f and g are negative, thus unspecified in A. A can be appropriately 
"completed" by adding the equations f(a) := 1 and g(a,6) := a to it. This way, we are insisting on the 
behaviour of t when fed with any natural number (represented by o) and when the environment needs t 
only once. 

How about complexity analysis? Actually, we are already there: the problem of proving the number of 
machine reduction steps needed by t to be at most p : N — » N (where p is, e.g. a polynomial) becomes the 
problem of checking £ \\- /\y where £ is the appropriate completion of A, and is S? u {(K + l)(\t\ + 2) 



p(a)} (Proposition 3.2) 



"the source code is 



available at |http: //lideal ■ cs .unibo . it 
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Simplifying Equations. Equational programs obtained in output from CheckBound contains many equa- 
tions which are trivial (such as f(a) = n or f(a) = g(a)), and as such can be eliminated. Moreover, instances 
of forest cardinalities and bounded sums can sometime be greatly simplified. As an example, Xia<o ^ can 
always be replaced by 0. This allows, in particular, to turn A into a set of fewer and simpler rules, thus 
facilitating the next phase. 

A basic simplification procedure has already been implemented, and are called by CheckBound on the 
output of GEN. However, automatically treat the equational program by an appropriate prover would be 
of course desirable. For this purpose, the possibility for CheckBound to interact with Maude [5], a system 
supporting equational and rewriting logic specification, is currently investigated. 

Checking Side Conditions. As already stressed, once CheckBound has produced a pair (A,M), the task 
we started from, namely complexity analysis of t, is not finished, yet: checking proof obligations in Si is 
as undecidable as analysing the complexity of t directly, since most of the obligations in are termination 
statements anyway. There is an important difference, however: statements in if are written in a language 
(the first-order equational logic) which is more amenable to be treated by already existing automatic and 
semi-automatic tools. 

Actually, the best method would be to first call as many existing automatic provers on the set of side 
conditions, then asking the programmer to check those which cannot be proved automatically by way of an 
interactive theorem prover. For this purpose, we have implemented an algorithm translating a pair in the 
form (A, £%) into a Why3 [6] theory. Indeed, Why3 is an intermediate tool between first order logic and 
various theorem provers, from SMT solvers to the COQ proof assistant 5j^]on the side conditions produced 
by CheckBound(i). Most of them are actually proved automatically, at least in the few example programs 
we have mentioned in the course of this paper Actually the symbol names used in the Why3 theory are 
the same as the ones used for the annotation of the type derivation (that can be printed by CheckBound). 
Hence trying to check interactively some side conditions, the programmer can access both the definition of 
a symbol in the equational program, and the subterm of t it refers to in the type derivation. 

However, using the proof assistant COQ on the few side conditions that remain to be interactively checked 
through the Why3 tool is not as simple as it should be. This is due to the way we express bounded sum 
and forest cardinality indexes in a first order logic. To facilitate the work of the programmer checking the 
side conditions, it would thus be suitable to also translate them directly into COQ, making use of its higher 
order definition facilities. The interactive theorem prover would be called directly, but only on those side 
conditions that cannot be proved automatically. This of course requires some special care: we would like to 
preserve a formal link between the Why3 theory and the statement which that have to be proved in COQ 
(or in any interactive theorem prover). 

All these issues are currently investigated and developed within Lideal [25] . 

6 Related Work 

Complexity analysis of higher-order programs has been the object of study of much research. We can 
for example mention the many proposals for type systems for the A-calculus which have been shown to 
correspond in an extensional sense to, e.g. polynomial time computable functions as in implicit computational 
complexity Many of them can be seen as static analysis methodologies: once a program is assigned a type, 
an upper bound to its time complexity is relatively easy to be synthesised. The problem with these systems, 
however, is that they are usually very weak from an intentional point of view, since the class of typable 
programs is quite restricted compared to the class of all terms working within the prescribed resource 
bounds. 

More powerful static analysis methodologies can actually be devised. All of them, however, are limited 
either to very specific forms of resource bounds or to a peculiar form of higher-order functions or else they 

3 Alt-brgo, Cvc3, E-prover, Gappa, Simpli fy, Spass, Vampire, v eriT, Yicex and Z3 
4 The results of these tests are available at http://lideal.cs.unibo.it/ 
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do not get rid of higher-order as the underlying logic. Consider, as an example, one of the earliest work 
in this direction, namely Sands's system of cost closures the class of programs that can be handled 

includes the full lazy A-calculus, but the way complexity is reasoned about remains genuinely higher-order, 
being based on closures and contexts. In Benzinger's framework [3] higher-order programs are translated 
into higher-order equations, and the latter are turned into first-order ones; both steps, and in particular the 
second one, are not completeness-preserving. Recent works on amortised resource analysis are either limited 
to first-order programs [5Dj or to linear bounds [33] ■ A recent proposal by Amadio and Regis-Gianas [2] 
allows to reason on the the cost of higher-order functional programs by way of so-called cost-annotations, 
being sure that the actual behaviour of compiled code somehow reflects the annotation. The logic in which 
cost annotations are written, however, is a form of higher-order Hoare logic. None of the proposed systems, 
on the other hand, are known to be (relatively) complete in the sense we use here. 

Ghica's slot games [TB] are maybe the work which is closest to ours, among the many in the literature. 
Slot Games are simply ordinary games in the sense of game semantics, which are however instrumented so as 
to reflect not only the observable behaviour of (higher-order) programs, but also their performance. Indeed, 
slot games are fully abstract with respect to an operational theory of improvements due do Sands [29) : 
this can be seen as the counterpart of our relative completeness theorem. An aspect which has not been 
investigated much since Ghica's proposal is whether slot games provides a way to perform actual verification 
of programs, maybe via some form of model checking. As we have already mentioned, linear dependency 
can be seen as a way to turn games and strategies into types, so one can see the present work also as an 
attempt to keep programs and strategies closer to each other, this way facilitating verification. 

7 Conclusions 

A type inference procedure for d^PCF has been introduced which, given a PCF term, reduces the problem 
of finding a type derivation for it to the one of solving proof obligations on an equational program, itself 
part of the output. Truth of the proof obligations correspond to termination of the underlying program. 
Any type derivation in d^PCF comes equipped with an expression bounding the complexity of evaluating the 
underlying program. Noticeably, proof obligations and the related equational program can be obtained in 
polynomial time in the size of the input PCF program. 

The main contribution of this paper consists in having shown that linear dependency is not only a very 
powerful tool for the precise analysis of higher-order functional programs, but is also a way to effectively 
and efficiently turn a complex problem (that of evaluating the time complexity of an higher-order program) 
into a much easier one (that of checking a set of proof obligations for truth) . 

Although experimental evaluation shows that proof obligations can potentially be handled by modern 
tools mixing automatic and semi-automatic reasoning, as explained in Section [5j much remains to be done 
about the technical aspects of turning proof obligations into a form which is suitable to automatic or semi- 
automatic solving. Actually, many different tools could conceivably be of help here, each of them requiring 
a specific input format. This implies, however, that the work described here, although not providing a 
fully-fledged out-of-the-box methodology, has the merit of allowing to factor a complex non- well-understood 
problem into a much-better-studied problem, namely verification of first-order inequalities on the natural 
numbers. 
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